Writeup- VULNHUB -Infovore
let’s start with a simple nmap scan by running nmap -sC -sV -p- <vulnmachineIP>.
this returns an apache web server running on port 80:
reviewing the page source and clicking around the page does not seam to reveal much information, just the title “Include me” that sounds like a hint for Local File Inclusion.
Running dir reveals other files such as info.php, index.php and index.html
the info.php file is directly exposed which gives more info about the target.
i decided to fuzz the index.php parameter to look for ways to pass an LFI, and i got a “filename” endpoint which only seemed allow /etc/passwd
after more such i discovered an exploit on https://raw.githubusercontent.com/M4LV0/LFI-phpinfo-RCE/master/exploit.py.
i changed the IP and port, modified some bits of the exploit such as
POST /phpinfo.php?a= -> POST /info.php?a=
GET /index.php?lfi= -> GET /index.php?filename=
the exploit successfully returns a reverse a shell. we are in a docker environment and moving to the web directory at /var/www/html inside the user.txt lies our first flag!
we’ll need to extract the .oldkeys.tgz to a separate folder such as tmp, and read its content. it seems to contain a private key which we’ll crack with john.
the cracked key is choclate93. we’ll use this to enter root, in case a password is needed and after navigating inside the folders we get out second flag at root.txt
as we’re now admin on the host system. since we’re now in a docker group, we can abuse this privilege by hosting the host volume to one of the docker containers thus gaining maximum authority over it.
we mount this by : docker run -v /:/mnt/<anyname> -ti imgid /bin/bash.
navigate to the root directory and you’ll find the mounted filesystem and find the last flag at root.txt